This invention relates to a system and method for protecting computer files and/or objects against computer viruses, including malware. In the context of computers and machines, a virus is a self-replicating/self-reproducing-automation program that spreads by inserting copies of itself into other executable code or documents. Though the term “virus” may be defined as a type of malware (malicious software), it is common to use “virus” to refer to any kind of malware, including worms, Trojan horses, spyware, adware, etc.
Computer antivirus programs are commonly used to detect, clean, and remove computer viruses from infected objects such as data files. One form of detection typically used is scanning of objects resident on a hosting computer system's storage device(s). Objects are scanned for the presence of an embedded virus, and the scanning may be either signature-based or heuristic (such as watching for suspicious behavior). However, signature-based virus scanning relies on signatures obtained from previously-identified viruses and does not detect viruses that have not yet been identified and analyzed (“day-zero” or “zero-day” attacks). These are attacks that have no known solution and/or detection signature. Existing heuristic methods are not foolproof and may fail to detect virus attacks. Thus, antivirus programs may not know that an object has been infected.
These forms of attack pose serious threats to system operation and data integrity. An IPS/IDS (intrusion protection system/intrusion detection system) may be used to guard against day-zero attacks, by detecting anomalous behavior and applying policies that define the system's response. Responses may include notifying the administrator of the problem, limiting port usage, limiting bandwidth, and ultimately isolating the affected computer from the network. It is then up to the administrator to resolve the problem. The problem is usually not solved per se. Instead, the problem is forwarded to the antivirus provider or an attempt is made to restore the system to some point in time prior to the attack.
After a virus has been detected in an object, responses typically involve cleaning or repairing the infected object (the object containing the virus), deleting the infected object, or quarantining the infected object to block further access. Deleting or quarantining the infected object has the disadvantage of making it unavailable for further use. Thus, an attempt may be made to clean or repair the object. Sometimes, however, it is difficult if not impossible to repair the object using existing methods, and the resulting object may be damaged, leaving deletion or quarantine as the only remaining options. Even in cases when the object is successfully cleaned, the process may leave artifacts that result in an object that does not match the uninfected object. The artifacts may be benign and the object usable, but they may be considered unacceptable in some cases, such as by financial institutions. The cleaned object may not have the correct date and timestamp because the time of infection is unknown.
Restoring to a point in time prior to the attack may be problematic, because the administrator does not know when the infection actually occurred. All the administrator knows is when the attack became active. Many attacks lie dormant—sometimes for months or years—and thus, it is not readily apparent when the infection occurred.
There is a need, therefore, for an improved method, article of manufacture, and apparatus for protecting information against viruses on a computer system.